They Lost Americans’ Data, but Not Their Jobs: Why Equifax Execs Could Walk
In early September, hackers breached data at Equifax, a consumer credit reports company. Exposed data included names, Social Security numbers, birth dates, addresses, and even driver license numbers. Even though the hack does not represent the largest breach of security in the nation’s history, the sheer depth puts it on another scale.
Equifax’s breach represents a massive portion of Americans
The criminals gained access to data for as many as 143 million Americans, according to ArsTechnica. For anyone trying to do a little mental math, that’s a whopping 44% of the population. Hackers also accessed credit card numbers for 209,000 customers, and dispute documents with personal information on them for 182,000 people. An unknown number of Canadian and U.K. customers also fell victim. The unauthorized access occurred between May and July, with Equifax officials discovering it on July 29.
“Criminals exploited a U.S. website application vulnerability to gain access to certain files,” Equifax said in a statement. This marks the second time Equifax has suffered a breach in the last three years. In 2013, hackers stole information from famous people – including President Joe Biden, FBI Director Robert Mueller, Attorney General Eric Holder, and Jay Z – due to lax security on annualcreditreport.com.
Affected customers want to see someone go down for the breach. There’s just one problem though.
Insanely enough, there are no criminal laws in place to protect data theft victims
Unlike other industries, no criminal laws currently protect customers’ data. Equifax execs are likely staring down a number of class action suits and an FTC investigation, Fortune explained. Individual executives may resign – two already did – but will likely collect massive payouts on their way out the door.
Equifax executives will likely face no legal consequences, other than three officers who could face charges for selling stock before the breach was disclosed. And CEO Richard Smith will probably keep the $68.9 million he’s made from selling the company’s shares, as well.
According to Sam Buell, who teaches corporate criminal law at Duke University School of Law, scandals like these can – and should – trigger public conversations that lead to new regulatory oversight. “There’s a good argument this is one of those industries where there’s a need for a higher standard or the pain of criminal punishment,” he told Fortune. “When you’re in a business that has the potential to do this scale of harm, you have a duty of care for your product that could be covered by criminal law.”
That said, one rule might trip them up if lawyers can figure out the right way to use it.
What you don’t know can hurt you
A little-known rule called “the responsible corporate officer doctrine” can find individual corporate officers guilty. If the officers knew, or should have known, about the criminal activity, they can go down for it, according to a publication by Warner Norcruss & Judd.
Historically, the RCO doctrine has applied to federal laws such as the Federal Food, Drug, and Cosmetic Act, but some scholars say it can be used for data as well. Under the rule, officers don’t have to exhibit any unlawful intent, negligence, knowledge of the violation, or direct participation in the wrongdoing. The government just needs to prove that the executive:
- Held a position of responsibility and authority in the corporation
- Had the ability to prevent the violation
- Failed to prevent the violation
The FDA commissioner has expressed the agency’s desire to “increase the appropriate use of misdemeanor prosecutions … to hold corporate officers responsible,” the law firm explained. In addition, the Assistant Attorney General pledged a “renewed focus on individual wrongdoers” and a desire to “pursue individuals responsible for illegal conduct just as vigorously as we do companies.”
In addition, the FDA issued guidelines in January 2011 indicating the RCO as a valuable enforcement tool. It allows executives to “be held liable for a first-time misdemeanor (and possible subsequent felony) under the [FDCA] without proof that the corporate official acted with intent or even negligence, and even if such corporate official did not have any actual knowledge of, or participation in, the specific offense.”
Practically, what does that mean for Equifax? Let’s find out.
Several high-level investigations have opened into the attack
The U.S. Federal Trade Commission will investigate the breach, according to Reuters. Stock shares have entered free fall, with a record high trading volume, and a 32% loss since the company disclosed the hack. Senate Democratic leader Chuck Schumer called the leadership’s treatment of its customers “disgusting.”
“It’s one of the most egregious examples of corporate malfeasances since Enron,” Schumer told the wire service. FTC spokesperson Peter Kaplan called a probe unusual, but the circumstances do warrant it.
“In light of the intense public interest and the potential impact of this matter, I can confirm that FTC staff is investigating the Equifax data breach,” he said. Equifax and the FTC have not always gotten along, with allegations that Equifax had sold data on its customers in 2012.
That’s not the only investigation on the books too, with things going far further up the food chain than we could have imagined.
The FBI and Congress also have plans for Equifax
The FBI has also opened an investigation, The New York Times reported. United States Attorney John A. Horn said in a statement that his office was working with the FBI to investigate the cyberattack. At least 34 other attorneys general have also opened investigations, as well as the Consumer Financial Protection Bureau.
In addition, Equifax CEO Richard Smith will appear before the House Energy and Commerce Committee on Oct. 3, and the House Financial Services Committee intends to hold its own hearing at a future date. Smith has also pledged to cooperate with the committee.
Those hearings may result in better consumer protections, but penalties for leadership can be trickier. Even so, some top analysts have ideas for how to handle them.
Insider trading: Did they or didn’t they?
Mother Jones reported that the U.S. Department of Justice has eyes on three top officials at Equifax. A criminal investigation will look at Chief Financial Officer John Gamble, President of U.S. Information Solutions Joseph Loughran, and President of Workforce Solutions Rodolfo Ploder, on suspected insider trading. Those three reportedly sold almost $1.8 million of stock days after the agency discovered the breach. The sale also came well before the company announced it to the public, which looks bad for those officials.
While the company said the officials did not know about the breach when they sold the shares, the sales were not part of scheduled trading plans. A spokesperson for Equifax called them “small percentages” of their stock, according to Bloomberg. Gamble sold more than 13% of his share, Loughran 9%, and Ploder 4%.
Consequences for the trio remain unclear. “I don’t know how the board will allow these executives to continue in their positions,” said Bart Friedman, a senior counsel at Cahill Gordon & Reindel LLP, who advises boards on such matters. “Yes, they should have a careful investigation and have an independent law firm interview the executives and review their emails and determine what they knew and when, but the end result is likely clear.”
That trading might put a nail in the coffin for those three, not the breach itself. Next, we hear what officials think about it.
‘They should go to jail,’ says banking committee member
Democratic Senator Heidi Heitkmap called the possible sale “disturbing,” according to a report by Reuters. “If that happened, somebody needs to go to jail,” she told a credit union industry conference in Washington. “It’s a problem when people can act with impunity with no consequences. How is that not insider trading?”
Heitkamp is not alone in her criticisms. 36 other senators have called on authorities to investigate. “We request that you spare no effort in your investigations and in enforcing the law to the fullest extent,” the letter said.
While no criminal charges have yet been leveled, many suits will follow. Whether the RCO doctrine applies in this case, we’re all going to have to watch to find out.